“The settlement agreement falls within the range of possible approval as fair, reasonable, adequate, and in the best interests of the class,” U.S. District Court Judge Edward Davila in the Northern District of California wrote in an order issued on Thursday. Davila's order only grants the deal “preliminary” approval, meaning that he could still reject the settlement after a final hearing. The settlement agreement calls for LinkedIn to pay up to $50 to some of the users who purchased premium memberships to the service. The social-networking company also promises that for the next five years, it will protect users' passwords by “salting” and “hashing” them.
TechWeekEurope UKLinkedIn: Password Breach Cost Us As Much As $1m.

The LinkedIn hack and lessons learned. LinkedIn: No accounts hacked as result of stolen passwords. LinkedIn today updated its users on the stolen password fiasco that arose last week in which 6.4 million passwords were illegally obtained and posted on a Russian Web site.

According to a blog post from LinkedIn’s Vicente Silveira the company has received no reports that member accounts have been breached as a result of the stolen passwords. Silveira also said that the company is working with the FBI to “aggressively pursue the perpetrators of this crime.” “First, it’s important to know that compromised passwords were not published with corresponding email logins,” Silveira wrote. “At the time they were initially published, the vast majority of those passwords remained hashed, i.e. encoded, but unfortunately a subset of the passwords was decoded.

Again, we are not aware of any member information being published at any time in connection with the list of stolen passwords.
Analysis of Passwords Dumped from LinkedIn. I love taking a look at dumped passwords and analyzing them with Pipal by DigiNinja.

Pipal is a great analytical program that takes a password dump and looks for patterns, including password lengths and complexities. I have always liked statistics and you can learn a lot from running passwords through Pipal. I took a quick look at Pastebin and found that Stefan Venken (@StefanVenken) had already taken almost a million and a half of the LinkedIn passwords and analyzed them with Pipal.

Here are some of the more interesting results:
LinkedIn dials 911 on password mega-leak hackers. How Charles Dickens helped crack your LinkedIn password. Kevin Young, a computer security expert who studies passwords, is nearly at a loss for words.

Literally. Young and his colleagues are working to decode some 2.6 million scrambled LinkedIn passwords, part of a total of 6.1 million released earlier this week on a Russian password cracking forum. Young studies how people pick passwords and how resistant they are to cracking. The data that was released were password hashes, or cryptographic representations of passwords churned through an algorithm called SHA-1. For example, if a person's password is "Rover" the SHA-1 hash would be "ac54ed2d6c6c938bb66c63c5d0282e9332eed72c.

" Converting those hashes into their original passwords is possible using decoding tools and powerful graphics processors. What's interesting about the LinkedIn hashes is the trouble experts are having at converting the hashes to their original password. That leaves 2.6 million uncracked hashes, which Young and some colleagues have been working to decode.
Avoiding Password Breaches 101: Salt Your Hash. “Change your passwords now.

Like, every password you use on every website you have ever visited.” You may have heard this advice from tech publications and mainstream rags after password leaks were discovered at LinkedIn, eHarmony and Last.fm. It is a good idea to change passwords at least a couple times a year anyway. But the problem does not lie solely with the users. It also lies with the way companies approach password security. Since the leaks were revealed, tech pundits have been feigning outrage over LinkedIn’s subpar salting and hashing of passwords.
LinkedIn's security issue reveals obvious: Passwords, users always a weak link. The years change, but the stories remain the same.

Passwords are a crappy defense and most of us use poor ones in exchange for ease of use. Some LinkedIn users had their passwords stolen. Phishing attacks ensued to prey on LinkedIn users. Now eHarmony has had issues.
» How To Protect Your Hacked LinkedIn Account. LinkedIn confirme son piratage, un site de rencontre également touché. Vérifier si son mot de passe LinkedIn a été hacké. La nouvelle est tombée hier : 6,5 millions de mots de passe LinkedIn ont été hackés !

He is an independent consultant, writer, and speaker specialising in security education. Contact Author Email Alec Twitter Profile Linked-in Profile ...here's what you should do Published 12:31, 06 June 12. Updating Your Password on LinkedIn and Other Account Security Best Practices. Our security team continues to investigate this morning’s reports of stolen passwords.

At this time, we’re still unable to confirm that any security breach has occurred. You can stay informed of our progress by following us on Twitter @LinkedIn and @LinkedInNews. While our investigation continues, we thought it would be a good idea to remind our members that one of the best ways to protect your privacy and security online is to craft a strong password, to change it frequently (at least once a quarter or every few months) and to not use the same password on multiple sites.

Use this as an opportunity to review all of your account settings on LinkedIn and on other sites too. Remember, no matter what website you’re on, it’s important for you to make sure that you protect your account security and privacy. Here are some account security and privacy best practices that we recommend for our members:
An Update on LinkedIn Member Passwords Compromised. We want to provide you with an update on this morning’s reports of stolen passwords.

We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
6.5 Million LinkedIn Password Hashes Leaked. Some observations on this file: 0. This is a file of SHA1 hashes of short strings (i.e. passwords). 1. There are 3,521,180 hashes that begin with 00000. I believe that these represent hashes that the hackers have already broken and they have marked them with 00000 to indicate that fact.

Evidence for this is that the SHA1 hash of 'password' does not appear in the list, but the same hash with the first five characters set to 0 is. 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 is not present 000001e4c9b93f3f0682250b6cf8331b7ee68fd8 is present Same story for 'secret':
LinkedIn confirms 'some' passwords leaked. Computerworld - In response to widespread reports of a massive data breach at LinkedIn, the company Wednesday confirmed that passwords belonging to "some" of its members have been compromised.

More than 6 million LinkedIn passwords likely stolen - Jun. 6. Researchers say a stash of what appear to be LinkedIn passwords were protected by a weak security scheme. NEW YORK (CNNMoney) -- Russian hackers released a giant list of passwords this week, and on Wednesday security researchers identified their likely source: business social networking site LinkedIn. LinkedIn (LNKD) confirmed in a blog post late Wednesday afternoon that some of the stolen passwords correspond to LinkedIn accounts. The company did not offer any information about how the passwords were stolen or the extent of the damage, but it said it is "continuing to investigate" the matter.